Security requires constant vigilance. There needs to be a system in place that says to you and all your employees that we are always watching. We are watching for ways to improve, we are watching for security violations, we are watching for lax security practices. This is not an onerous or oppressive practice. It is a practice of alertness and constancy.
To paraphrase Thomas Jefferson, “the price of security is constant vigilance.” Without this vigilance you have but a point in time where you may be secure on the endless spectrum of risk. The virtues of consistency and constancy will serve you well when you are in the middle of a major attack and you know just what to do. Having these habits built into your system will give you the confidence and calmness you will need.
The Third Line
Maybe one of the most difficult human endeavors anywhere in terms of skill, concentration, and risk is the landing of a Naval Jet on an aircraft carrier. Naval aviators will tell you that this is without a doubt the most difficult part of the mission. When landing an aircraft carrier naval aviators are graded on every single landing from the first one the ever do to the last. They are immediately taken below decks where they review with an expert aviator how well they did. Where they too high? Did they have enough power? Were they following their landing instruments properly? All of these factors go into account every single time.
The goal is to not give our valued aviators the leeway to leave anything to chance, with could result in catastrophe. This constant vigilance, this constant grading inherently creates an environment of excellence. This takes an endeavor that is extremely complex, resource intensive, and dangerous and makes it look to the untrained eye like it is routine. It is certainly not.
A Habit Of Vigilance
Just like the Naval aviators you too need to be creating a regime of constant vigilance. No one is saying someone is going to die if your cyber security is not just right. I am not saying this at all. The lesson is to maintain a system or a habit of vigilance will serve your organization over time. The employee that now knows when he sees a coworker shouting a password across a row of cubicles. And IT employee when he sees a huge jumbled mess of cables in the data center.
These are the habits that should tell them something is up. And that something should be addressed by someone, most likely your security authority for their area. This constant vigilance takes its form also in the need for auditing and reporting of your security posture on an ongoing basis. Once again this is not a static endeavor. It is a constant practice over time. No, you don’t have to do it every day or every week. But a bi-annual or even quarterly review should be done. This will give you first the vigilance, and second the grading to maintain your excellence. This is the path to safety and security, all the expensive technologies and tools in the world cannot replace these practices.